Skip to content

Commit 0b2ba1c

Browse files
laurelmaylaurelmay
authored
fix(logs): adding a resource policy statement with AnyPrincipal fails (#27787)
Because `AnyPrincipal` extends `ArnPrincipal` it gets caught up in the checks for parsing the ARN from the principal to get the account. This check should be skipped when the ARN is set to `"*"` because that can't be parsed. Closes #27783. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
1 parent 8c44f32 commit 0b2ba1c

11 files changed

+487
-2
lines changed

packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-resource-policy-any-principal.js.snapshot/LogGroupResourcePolicyAnyPrincialIntegDefaultTestDeployAssert1A3C13F5.assets.json

+19
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-resource-policy-any-principal.js.snapshot/LogGroupResourcePolicyAnyPrincialIntegDefaultTestDeployAssert1A3C13F5.template.json

+36
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-resource-policy-any-principal.js.snapshot/aws-cdk-log-group-resource-policy-any-integ.assets.json

+19
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-resource-policy-any-principal.js.snapshot/aws-cdk-log-group-resource-policy-any-integ.template.json

+67
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,67 @@
1+
{
2+
"Resources": {
3+
"LogGroupF5B46931": {
4+
"Type": "AWS::Logs::LogGroup",
5+
"Properties": {
6+
"RetentionInDays": 731
7+
},
8+
"UpdateReplacePolicy": "Retain",
9+
"DeletionPolicy": "Retain"
10+
},
11+
"LogGroupPolicyResourcePolicy6FA18555": {
12+
"Type": "AWS::Logs::ResourcePolicy",
13+
"Properties": {
14+
"PolicyDocument": {
15+
"Fn::Join": [
16+
"",
17+
[
18+
"{\"Statement\":[{\"Action\":\"logs:PutLogEvents\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"*\"},\"Resource\":\"",
19+
{
20+
"Fn::GetAtt": [
21+
"LogGroupF5B46931",
22+
"Arn"
23+
]
24+
},
25+
"\"}],\"Version\":\"2012-10-17\"}"
26+
]
27+
]
28+
},
29+
"PolicyName": "awscdkloggroupresourcepolicyanyintegLogGroupPolicy69400813"
30+
}
31+
}
32+
},
33+
"Parameters": {
34+
"BootstrapVersion": {
35+
"Type": "AWS::SSM::Parameter::Value<String>",
36+
"Default": "/cdk-bootstrap/hnb659fds/version",
37+
"Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
38+
}
39+
},
40+
"Rules": {
41+
"CheckBootstrapVersion": {
42+
"Assertions": [
43+
{
44+
"Assert": {
45+
"Fn::Not": [
46+
{
47+
"Fn::Contains": [
48+
[
49+
"1",
50+
"2",
51+
"3",
52+
"4",
53+
"5"
54+
],
55+
{
56+
"Ref": "BootstrapVersion"
57+
}
58+
]
59+
}
60+
]
61+
},
62+
"AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
63+
}
64+
]
65+
}
66+
}
67+
}

packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-resource-policy-any-principal.js.snapshot/cdk.out

+1
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-resource-policy-any-principal.js.snapshot/integ.json

+12
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-resource-policy-any-principal.js.snapshot/manifest.json

+119
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)